I was getting so busy at work so I needed some time off to sharpen my (rusty) skills, so my team and I decided to participate in an online CTF called OtterCTF. I̶’̶m̶ ̶r̶u̶n̶n̶i̶n̶g̶ ̶o̶u̶t̶ ̶o̶f̶ ̶c̶o̶n̶t̶e̶n̶t̶ ̶f̶o̶r̶ ̶t̶h̶e̶ ̶y̶e̶a̶r̶ I found the questions challenging and interesting, so I decided to do a write-up! 😅
Screenshot
Preparation
Step 0: Preparation
Whenever I am given a memory image to analyze, I do the following steps first as part of my routine:
1. Identify the suggested profile for the memory image using imageinfo
We can see the profiles that were suggested by volatility. We’ll opt to use the first one: Win7SP1x64
Therefore, our volatility commands from now on, should include the --profile=Win7SP1x64 profile flag.
2. List the available registry hives
This task is pretty easy to execute since we just have to execute the volatility command while using the hivelist plugin:
Take note of the virtual addresses of the registry hives since we’ll be using them on the next step.
3. Dump the available registry hives (For system profiling/creds dumping)
This task is also easy to execute since we have the dumpregistry command.
Executing the command:
volatility -f OtterCTF.vmem --profile=Win7SP1x64 dumpregistry -o <virtual memory address of the hive> -D <output directory> Will dump the registry hives in the specified output directory.
4. Perform quick regripper runs on the dumped hives
Execute the following command to perform a quick run of regripper on the specified hives:
rip -r <registry file> -f <sam/security/software/system> > <output file>In my opinion, doing the above commands prior to analysis makes sure that you already have the preliminary data you need to perform a quick, but thorough analysis of memory images.
Walkthrough
1 — What the password?
Instinctively, I used the hashdump plugin to list the stored NTLM hashes on the memory image.
However, the stored NTLM hash for Rick’s password: 518172d012f97d3a8fcc089615283940, when passed in online NTLM crackers do not result to any plaintext passwords.
The only hope we have are when the password is misplaced (i.e. stored in a text file, config file, etc.) and — since it is a Windows 7 memory image — if the password is stored in the machine’s LSA secrets.
True enough, running volatility with the lsadump plugin displays the following:
FLAG: CTF{MortyIsReallyAnOtter}
2 — General Info
To check for the system’s IP Address, we can use volatility ‘s netscan plugin and check for the local address:
Since we already ran regripper on the registry hives, we can check for the hostname listed under the compname plugin.
FLAG 1: CTF{192.168.202.131}
FLAG 2: CTF{WIN-LO6FAF3DTFE}
3 — Play Time
Based on the netscan output on the previous question, we can see that there is a running process called: LunarMS.exe
A quick Google search tells us that it is a MapleStory server. Therefore,
FLAG 1: CTF{LunarMS}
FLAG 2: CTF{77.102.199.102}
4 — Name Game
For this question, our hope relies on the memory-resident pages of the LunarMS.exe process. The netscan command we executed earlier provided the process id of the LunarMS.exe process. (pid 708), with this we can now dump its memory-resident pages using the memdump plugin:
Now, we can search for the relevant strings pertaining to the question using:
$ strings 708.dmp | grep -a Lunar\-3 -C 5
The string below the second result catches our eye, therefore:
FLAG: CTF{0tt3r8r33z3}
5 — Name Game 2
This one’s fairly easy to do, I opened up the dump of the LunarMS.exe process using my favorite Hex Editor: 010Editor and searching for the last 4 bytes (5A 0C 00 00):
FLAG: CTF{M0rtyL0L}
6 — Silly Rick
The challenge gives us a huge clue on how to solve this. Since he always does a copy and paste to input his password, we have huge chance of getting it via the clipboard plugin:
FLAG: CTF{M@il_Pr0vid0rs}
7 — Hide and Seek
Running pslist on the memory image, we can see the following interesting processes:
Currently, we have 2 perpetrators:
Rick and Morty season 1 download.exevmware-tray.exe
Why vmware-tray.exe? Because if you look at its ppid (Parent Process ID), it was spawned by pid 3820 — Rick and Morty season 1 download.exe. To further support our analysis, we can run cmdline :
This shows that the process vmware-tray.exe is running on an unknown/suspicious path (Temp, anyone?). Therefore:
FLAG: CTF{vmware-tray.exe}
Hmm. It looks like Rick’s system was infected via a malicious torrent file.
8 — Path to Glory
Since we have indicators that this malware came from a torrent file, we need to locate the said torrent file on the memory image itself using the filescan plugin:
Dumping the file using the dumpfiles plugin and displaying its information will show us the following:
FLAG: CTF{M3an_T0rren7_4_R!ck}
This further supports our hypothesis that Rick’s system was infected via a malicious torrent file. But how?
9 — Path to Glory 2
For this question, I got the hunch that the file was downloaded somewhere, so I looked into Rick’s browsing history via Google Chrome. A user’s History is located at:
C:\Users\<name>\AppData\Local\Google\Chrome\User Data\Default\History
We can locate it by using the filescan plugin:
Extracting the file using dumpfiles and using sqlitebrowser will display the following:
To know where the .torrent file was downloaded, we must look at the site_url:
We can see that the download was referred to by “mail.com”. Which means that the malware found its way through the system by a malicious attachment on an email. However, we still don’t have the credentials used by Rick to log into his email account. Or do we?
To extract e-mail-related artifacts, I used bulk_extractor. Displaying the contents of its resulting email.txt and grep-ing for “@mail.com” shows the following entries:
We can see that rickopicko@gmail.com exists. If you remember the previous questions, we already have Rick’s email password. We got it thanks to the clipboard plugin (M@il_Pr0vid0rs).
We can now login to Rick’s email account!
FLAG: CTF{Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@in}
10 — Bit 4 Bit
This question can be solved by executing the strings command on the dumped exe file of process 3720 (extract using procdump) with the little endian flag set:
FLAG: CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}
11 — Graphic’s For the Weak
I solved this by using foremost on the dumped exe file of process 3720. It will then extract a .png file:
FLAG: CTF{S0_Just_M0v3_Socy}
12 — Recovery
Executing strings on the memory dump of the malware process with the little-endian flag set will display the following:
Please pay attention to the highlighted string. At first glance, the string seems harmless but when you look at its surrounding strings, it’s really unusual that it appears next to the computer’s hostname and appears after encrypted files (i.e. Flag.txt) and appears before a ransomware’s common targets (e.g. .txt, .doc, .xlsx, etc.). Therefore:
FLAG: CTF{aDOBofVYUNVnmp7}
13 — Closure
If you look at the indicators that are present in the malware:
VapeHacksLoader.exe
2.
These will point you to $ucyLocker , a HiddenTear-based malware.
To decrypt the file (Flag.txt — located on Rick’s Desktop), I used this tool: HiddenTear Decrypter.
However, some changes need to be made on the file itself before it can be decrypted. First, we need to add the .WINDOWS file extension. Also, we need to remove the trailing NULL bits.
After doing so, supplying the password will decrypt the file:
Done!
FLAG: CTF{Im_Th@_B3S7_RicK_0f_Th3m_4ll}
Thanks for reading!
